CVE-2026-21877

n8n · n8n

An authenticated remote code execution vulnerability exists in n8n workflow automation platform versions 0.121.2 and below.

Executive summary

An authenticated remote code execution vulnerability in n8n allows attackers to compromise both self-hosted and cloud instances, necessitating an immediate upgrade to version 1.121.3.

Vulnerability

This vulnerability involves a critical flaw in the n8n workflow platform that allows an authenticated attacker to execute arbitrary code. The flaw impacts the service architecture, potentially leading to full system compromise.

Business impact

The ability for an authenticated attacker to execute malicious code poses a severe risk to organizational data integrity and system availability. Given the CVSS score of 9.9, this vulnerability represents a near-total loss of control over the affected n8n instance. Successful exploitation could lead to data exfiltration, lateral movement within the network, and complete service disruption.

Remediation

Immediate Action: Upgrade all n8n instances to version 1.121.3 or later immediately.

Proactive Monitoring: Review application access logs for unusual workflow executions or unauthorized modifications to automation configurations.

Compensating Controls: Disable the Git node functionality and restrict user access to trusted personnel only until the software can be patched.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability presents a critical threat to the security of your workflow automation environment. Organizations should prioritize patching to version 1.121.3 as the primary mitigation strategy to prevent unauthorized code execution and potential system takeover.